Give pod in Kubernetes cluster rights to access Google storage (RBAC/IAM)

1/13/2019

I was doing some research, but could not really find an answer in the K8s documentation. Is it possible to orchestrate that certain pods in a Kubernetes cluster have access to other certain resources outside of the cluster without giving the permissions to the whole cluster?

For example: A pod accesses data from Google storage. To not hard code some credentials I want it to be able to access it via RBAC/IAM, but on the other hand I do not want another pod in the cluster to be able to access the same storage.

This is necessary as users interact with those pods and the data in the storages have privacy restrictions.

The only way I see so far is to create a service account for that resource and pass the credentials of the service account to the pod. So far I am not really satisfied with this solution, as passing around credentials seems to be insecure to me.

-- masked_m0nkey
google-iam
kubernetes
rbac

1 Answer

1/15/2019

Unfortunately, there is only one way to do this, and you wrote it looks insecure for you. I found an example in documentation and they use the way where you store credential of service account in secret and then use it in pod from secret.

-- Nick Rak
Source: StackOverflow